Suricata with os-stunnel

Started by f1ne, January 08, 2026, 10:53:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2026, 10:53:28 AM
Hi,

I'm trying to set up a scheme like this:
WAN -> stunnel (OPNsense) -> site (LAN).
stunnel acts as a TLS termination proxy.
This works, but Suricata does not see traffic between stunnel and the site on the LAN. How can this be fixed? I specifically applied TLS termination to OPNsense so that Suricata could see the decrypted traffic, but it does not see it, only the site's responses to clients are in the logs.

Thanks!
January 08, 2026, 11:11:04 AM #1
I guess Stunnel is a Userland proxy, meaning any traffic it receives and forwards, will most likely not be reinjected into the kernel space (e.g. so PF or Suricata can see it), but copied directly on the outgoing interface.

You could probably put another router between the Stunnel OPNsense, and the LAN, which acts as a transparent IPS bridge:

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Hardware:
DEC740
Print
Go Up Pages1
User actions